---
- set_fact:
    bp_source_path: /etc/letsencrypt
    # https://pagure.io/copr/copr/issue/2250
    bp_backup_path: /srv/certbot-certs
  tags:
    - certbot

- name: install certbot package
  package: name=certbot state=present
  tags:
    - certbot

- name: install certbot config
  template: src=certbot.j2 dest=/etc/sysconfig/certbot
            mode=0644
  tags:
    - certbot

- name: install certbot deploy script
  template: src={{ buypass.predefined_deploy_script }}
            dest=/usr/libexec/auto-certbot-deploy
            mode=0755
  when: buypass.predefined_deploy_script is defined
  tags:
    - certbot

- name: check whether we need to initialize buypass first
  stat: path="/etc/letsencrypt/live/{{ item.key }}"
  register: bp_stat_checks
  with_dict: "{{ buypass.certificates }}"
  tags:
    - certbot

- name: check if we already have the backup
  delegate_to: localhost
  stat:
    path: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}"
  register: bp_stat_backup_dir
  tags:
    - certbot

- name: restore the certificates from backup (backed up on batcave)
  synchronize:
    src: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}/"
    dest: "{{ bp_source_path }}"
    mode: push
  tags:
    - certbot
  when:
    - not bp_stat_checks.results[0].stat.exists
    - bp_stat_backup_dir.stat.exists
  register: some_cert_restored

- name: initialize certbot configuration
  shell: |
      certbot certonly --standalone \
            -w {{ item.item.value.challenge_dir }} \
            -d {{ item.item.value.domains | join(' -d ') }} \
            --cert-name {{ item.item.key }} \
            -m {{ item.item.value.mail }} \
            --agree-tos \
            -n >> /tmp/call
  when:
    - not item.stat.exists
    - not some_cert_restored.changed
  with_items: "{{ bp_stat_checks.results }}"
  tags:
    - certbot

- name: configure certbot to use webroot next time
  ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
            section=renewalparams
            option=authenticator
            value=webroot
  with_items: "{{ bp_stat_checks.results }}"
  tags:
    - certbot

- name: configure certbot to use webroot next time
  ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
            section=renewalparams
            option=webroot_path
            value="{{ item.item.value.challenge_dir }}"
  with_items: "{{ bp_stat_checks.results }}"
  tags:
    - certbot

- name: post init script
  shell: |
      /usr/libexec/auto-certbot-deploy \
            --init {{ item.item.key }}
  when:
    - buypass.predefined_deploy_script is defined
    - not item.stat.exists
  with_items: "{{ bp_stat_checks.results }}"
  tags:
    - certbot

- name: Automatize cert renewal
  service:
    name: certbot-renew.timer
    state: started
    enabled: yes
  tags:
    - certbot

# When we do 'systemctl restart', lighttpd is initially started as "root"
# process (when the config is loaded) and later it does setuid(lighttpd).
# So "restart" is just fine.   Though we also do 'killall -HUP lighttpd' in
# several occasions and then 'lighttpd' user needs to have the access.  See the
# following issues:
#   https://pagure.io/copr/copr/issue/2001 Resolves:
#   https://pagure.io/fedora-infrastructure/issue/10391
- name: allow lighttpd to step into certbots directories
  acl:
    path: "{{ item }}"
    entity: lighttpd
    etype: user
    permissions: --x
    state: present
  with_items:
    - /etc/letsencrypt/archive
    - /etc/letsencrypt/live
  when:
    - buypass.predefined_deploy_script is defined
    - buypass.predefined_deploy_script == 'lighttpd'
  tags:
    - certbot

- name: prepare the certbot backup directory on batcave
  delegate_to: localhost
  file:
    path: "{{ bp_backup_path }}"
    # nobody, except for root, can step into this directory (on batcave)
    mode: 0700
    owner: root
    group: root
    state: directory
  tags:
    certbot

- name: backup the buypass certs to batcave directory
  synchronize:
    src: "{{ bp_source_path }}/"
    dest: "{{ bp_backup_path }}/{{ item.key }}"
    mode: pull
  with_dict: "{{ buypass.certificates }}"
  tags:
    - certbot
